c
$./fmt2
This is a fy??.
What was that? Looks like Greek, but actually, it??™s machine language (binary), shown
in ASCII. In any event, it is probably not what you were expecting. To make matters
worse, what if the second form of printf() is used like this:
//fmt3.c
main(int argc, char * argv[]){
printf(argv[1]);
}
If the user runs the program like this, all is well:
$gcc -o fmt3 fmt3.c
$./fmt3 Testing
Testing#
The cursor is at the end of the line because we did not use an \n carriage return as
before. But what if the user supplies a format string as input to the program?
$gcc -o fmt3 fmt3.c
$./fmt3 Testing%s
TestingYyy????y#
Wow, it appears that we have the same problem. However, it turns out this latter case
is much more deadly because it may lead to total system compromise. To find out what
happened here, we need to learn how the stack operates with format functions.
Stack Operations with Format Functions
To illustrate the function of the stack with format functions, we will use the following
program:
//fmt4.c
main(){
int one=1, two=2, three=3;
printf("Testing %d, %d, %d!\n", one, two, three);
}
$gcc -o fmt4.c
./fmt4
Testing 1, 2, 3!
Gray Hat Hacking: The Ethical Hacker??™s Handbook
172
During execution of the printf() function, the stack looks like Figure 8-1.
Pages:
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346